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Abstract. We consider the problem of checking whether an elliptic curve defined over a given 
number field has complex multiplication. We study two polynomial time algorithms for this prob- 
lem, one randomized and the other deterministic. The randomized algorithm can be adapted to 
yield the discriminant of the endomorphism ring of the curve. 
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1. Introduction 

It is a well known fact that the endomorphism ring of an elliptic curve over a number field is isomor- 
phic to either Z or an order in an imaginary quadratic field. If the latter holds then the curve is said 
to have complex multiplication (CM.) Elliptic curves with complex multiplication have found appli- 
cations in cryptography and coding theory, since there are closed form expressions for the number 
of points on such curves modulo prime ideals. This property was also utilized in the Atkin-Morain 
primality proving method AtMor93 . Constructing elliptic curves with complex multiplication is 
computationally very expensive. In this article we show that testing an elliptic curve for CM is easy. 

If one fixes the number field over which the curves are defined, then CM testing becomes very 
easy, albeit with considerable pre-computation. For this reason we consider the number field as 
being part of the input (this issue is explained in section fJJJ). Once one defines the problem in this 
way, an approach immediately suggests itself: transform the method of constructing curves with 
complex multiplication into a solution for this problem. Unfortunately, to implement this method 
one needs good effective lower bounds on class numbers of imaginary quadratic fields, which is a 
notorious open problem. This approach and its analysis is the subject of 

Our next approach, discussed in ^21 uses the elegant results of Deuring on the reduction of endo- 
morphism rings of elliptic curves and Serre on the density of supersingular primes. The approach 
is based on the observation that supersingular primes are plentiful for curves with complex multi- 
plication. This yields a two-sided error probabilistic polynomial time algorithm for this problem. 
We also show how this method can be adapted to find the discriminant of the endomorphism ring, 
but the analysis of this stage of the algorithm presents some challenging open questions. However, 
we can use the results we obtain here to make the error in the randomized algorithm one-sided. A 
similar algorithm is sketched in CNST98 without a precise analysis of the probability of failure 
and the running time. We improve their results in two ways. First, our algorithm is simpler to 
implement. Second, unlike theirs, our proof is rigorous and does not rely on unproven heuristic 
assumptions. 
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The final method, which we believe is new, discussed in ^SJis based on studying the image of the 
galois representations afforded by ^-torsion points on the curve. This method is deterministic and 
has a polynomial running time, but we are unable to bound the (multiplicative) constant in the 
running time effectively. 



2. Preliminaries 

Let L be a number field and let E/L be an elliptic curve. Every elliptic curve over L is isomorphic 
over L to one that is given by an equation of the form f |Si!86| III.§1) 

(1) Y 2 Z = X 3 + AXZ 2 + BZ 3 

with A,B<EL and 4A 3 + 27 B 2 ^ 0. If E is an elliptic curve that is given by an equation of the 
above form, then we define the discriminant of E by 

A E = -16(4A 3 + 27B 2 ) 

and the j-invariant of E to be the quantity 

-1728(4^) 3 
3E = r • 

For the rest of the article, an elliptic curve over a number field L is a curve given by an equation 
of the form Q with coefficients in L. 

2.1. Structure of the Endomorphism ring. Let E\,Ei be two elliptic curves defined over L. 
H.om(Ei, E2) is the set {(f) \ (j> : E\ — ► E2 is an isogeny}. Hom(,Ei, E^) is given a group structure 
by defining addition of maps pointwise. End(i£) as a set is defined to be Hom(E, E). End(i£) is a 
ring with multiplication defined to be composition of isogenics. The multiplication-by-m map [m] 
belongs to End(-E) for each m £ Z. In fact, the map Z — > End(-E) given by m 1— ► [m] is an injection 
of rings. The following result of Deuring gives the possibilities for End(-E). 

Theorem 2.1 (Deuring). Let E/L be an elliptic curve, then End(-E) is either Z or 6 , an order in 
an imaginary quadratic field K . 

Suppose E/L is an elliptic curve with G = End(-B) 7^ Z. Then we say that E has complex 
multiplication (by 0.) Sometimes, for brevity, we write "E has CM" instead of "E has complex 
multiplication." 

2.2. Weil Height. We introduce the notion of the Weil height of an algebraic number which we 
need in ^Hl 

Definition 2.2. Let a G Q be an algebraic number with minimal polynomial 

Pa(x) = aox d + aix^ 1 + • • • + e 7L\x\. 

Assume that p a {x) = ao(x — ot\){x — 02) ■ ■ ■ (x — a<j) with a, G C. Then the absolute logarithmic 
Weil height (or just Weil height) of a is defined to be the quantity 



h(a) = -nog|a | + ^ max{l, |ai|} J . 

( ' 1 Ki<d 



With the notation of the definition, we have the following useful bound f |Fe!82j Lemma 8.2) 
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h(a) < ^log^ |aj| 
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Thus the Weil height of an algebraic number is bounded polynomially by the encoding length of 
its minimal polynomial. Also, we denote the quantity Y2i \ a i\ by w(a). 

If E/L is an elliptic curve we define the Weil height of E to be h(j£), the Weil height of its 
j-invariant. 

3. The Problem 

The computational problem that is the focus of this article is the following: 
Complex multiplication of elliptic curves: 

Input: A number field L, and an elliptic curve E : Y 2 Z = X 3 + AXZ 2 + BZ 3 with A, B £ L. 
Question: Does E have complex multiplication? 

We will assume that L = Q(je), since E always has a model over Q(jb) and we can restrict to 
the subfield generated by je- The input is specified by giving the minimal polynomial of A and 
B from which the minimal polynomial of je can be determined efficiently. The size of the input 
is measured by the size of the encoding of the minimal polynomials of A and B. The encoding 
length of a polynomial p(x) = aox d + a\x d ~ x + • • • + a^, with integer coefficients, is defined to be 
the quantity ^ 0<i<d max{l, log |a,|}. Note that the encoding length of a non-zero polynomial p{x) 
is at least the degree of p(x). 

Our main concern is the complexity of the above decision problem. A consequence of the algo- 
rithms presented in this article is that the above decision problem is in P. Next, we explain why 
the number field needs to be part of the input. 

The complex points on E, namely E(C), has a particularly simple interpretation as C/Ce, where 
Ce is a rank 2 lattice such that Ce ®z K = C. In this description, isomorphic elliptic curves 
correspond to lattices that differ by a non-zero complex scalar ( jSi!86j VI Ex. 6.6). Suppose E/C 
is given by a lattice Ce, then there is an isomorphic elliptic curve given by the lattice Z + TLte 
with te G i}, where fj = {z £ C : Qz > 0}. There is a simple criterion for deciding when E has 
complex multiplication, provided E is given as C/(Z + TLte) (_Sil86 j Theorem VI. 5. 5): 

Let r be an imaginary quadratic number with minimal polynomial ax 2 -\-bx-\-c and gcd(a, b, c) = 1. 
Then the discriminant of r is b 2 — Aac. 

Theorem 3.1. Let E = C/(Z + Zt£) with te € Sj. Then E has complex multiplication by an order 
&D °f discriminant D iff te is a quadratic number of discriminant D as defined above. 

We also have the following important theorem (see |Coh93j Theorem 7.2.14 or Sil94 Chapter 2): 

Theorem 3.2. Let r G Sj be an imaginary quadratic number, and let D be its discriminant. Then 
j(r) (here j is the usual modular j -function) is an algebraic integer of degree equal to h(D), where 
h(D) is the class number of the imaginary quadratic order of discriminant D. More precisely, the 
minimal polynomial of j(r) over Z is the equation Y\(X — j(a)), where a runs over the quadratic 
numbers associated to the reduced forms of discriminant D. 

We can interpret Theorems 13.11 and 13.21 as follows. If E/L has complex multiplication by &Di an 
order of discriminant D, then its j-invariant has only h{D) possibilities, and is an algebraic integer 
of degree h(D). Noting that h{D) — > oo as D — > — oo, one concludes that if we fix a number field 
L, then there are only finitely many j-invariants of elliptic curves defined over L that have complex 
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multiplication. In other words, if we fix any L, the problem of checking when an elliptic curve over 
L has CM becomes trivial from a complexity viewpoint: pre-compute this list of j-invariants for 
the field and check if the curve is one of them. The pre-computation cost though prohibitive is still 
a computation that requires only O(l) time. For instance, the list for L = Q is given in §7.2 of 
Coh93 . This is why we insist on the field being part of the input. 



Remark 3.3. The j-invariants of elliptic curves with CM are called singular moduli, and these enjoy 
many nice properties. They turn out to be algebraic integers and generate dihedral extensions of 
Q. Furthermore, in an important paper Gross-Zagier ( GZ85 ) derived a formula for the prime ideal 
factorization of j{r{) —jfa) where t\,T2 generate maximal quadratic orders with coprime discrim- 
inants. Such numbers are divisible by many primes of small norm. There is even a conjectural 
extension of this work to the case where the Tj do not generate maximal orders; see Hut98 . We 
utilize some of these properties in §§\ 

4. A Direct Approach 

We can turn the results of Theorems 13.11 and 13.21 into an algorithm for checking if an elliptic curve 
has CM as follows. First compute the Hilbert class polynomials Hjj = Y\(x — j(a)), where a runs 
over the quadratic numbers associated to the reduced quadratic forms of (negative) discriminant 
D. Next we check if the j-invariant of the elliptic curve is a root of this polynomial. If so, we know 
that E has CM by an order of discriminant D. This computation can be done in (.Dl*^ 1 ) time (cf. 
Sch85 §4). One does this for each D = 0, 1 mod 4 until the degree of Hp exceeds the degree of 
the field of definition of the elliptic curve. At this point we declare that the curve does not have CM. 

The problem with the above approach is: When do we stop trying new discriminants? The Brauer- 
Siegel theorem says that h{D) grows roughly as |_D] 2 , but this bound is not effective. We need an 
explicit lower bound for the class number in terms of the discriminant to be able to decide when 
to stop. This is a hard problem, first studied by Gauss. Only recently the following explicit bound 
was proved by Gross, Zagier, Goldfeld and Osterle (see |Zag84[ |UZ86 ): 

Theorem 4.1. If D is a negative fundamental discriminant, then 



h(D) > < 



mo H\D\) U p \d (l " , if g«l(A 5077) + 1 

^M|£|)lI P | D (l - otherwise. 



Using the fact that the class number of an order is a multiple of the class number of the quadratic 
field associated to it, and the observation that if D has t prime factors then 2* _1 | h{D) (by Gauss's 
genus theory), we obtain an effective lower bound on h(D). This results in a method whose running 
time is exponential in the degree of the field. 

5. The Randomized Algorithm 

The randomized algorithm is based on the observation that if E/L has CM, then there is an abun- 
dance of supersingular primes. This differs from the case where E does not have CM. We describe 
the algorithm first: 

Input: A number field L and E : Y 2 Z = X 3 + AXZ 2 + BZ 3 , with A,B G L. 
Steps: 

(1) If je is not an algebraic integer, output "E does not have CM." 



(2) Pick a prime p at random in the interval I = [2 • • • (/iexp(n 2+e ) max{w(^4), w(i?)}) c ], where 
c, h and e are positive constants and n = [L : Q]. 

(3) Find the decomposition of (p) = Oi ^Pf 1 ' where *}3j are prime ideals of &l (the ring of 
integers of L). If this step fails go back to step (2). 

(4) Choose a prime in this factorization uniformly at random (say) ^P, treating the copies of 
*Pi as distinct. 

(5) If N l /q%S lies outside the interval I then go to step (2). 

(6) With probability proceed with the next step; otherwise, return to step (2). 

(7) Compute the reduction E of E mod ^p. If this step does not suceed return to step (2). 

(8) Compute asp, the trace of the Frobenius endomorphism of E. 

(9) If asp = mod p then output "E probably has CM" ; otherwise, output "E probably does 
not have CM." 

First we argue that all the steps can be done efficiently, and also bound the probability of failure in 
some of the steps. Step (1) can be done by computing the minimal polynomial of je and checking 
if it is monic with integer coefficients. This can be done in polynomial time |Len91j . Step (2) 
can be done efficiently using our source of random bits and randomized primality testing methods. 
To find the splitting of the prime p we make use of Theorem 4.8.13 in |Coh93| . which leads to 
a randomized polynomial time algorithm. This algorithm not only provides us with the prime 
factorization (p) = Y\ i but also gives us the isomorphism — F p d, where ^ 5 (p) is a 

prime and d = deg(^P). The isomorphism can be used to compute the reduction of the curve in 
step (7). The prime decomposition method we suggest will fail if the prime p divides the index 
\G l '■ ^[9]], where 9 = je (note that 9 is an algebraic integer as a consequence of the check made 
at step (1)). The number of primes for which this failure can occur is bounded by the number 
of primes that divide the discriminant of the order Z[0]. Since this order has a basis of the form 
1, 9,9 2 ,- • • , 9 n ~ l , its discriminant is that of its minimal polynomial T(x) = x n + a\x n ~ l + • • • + a n . 
Using the Hadamard bound, we see that the number of primes dividing the discriminant is bounded 
by log((^ i (nai) 2 ) 2n_1 ) which is still polynomial in the input length. The reduction of the elliptic 
curve can be done in step (7) if p J(N l /qAe and this again excludes only a few primes. Thus, if c 
and h are large enough the probability that we pick a prime for which either step (3) or (7) fails 
will be negligible. Step (8) can be done in polynomial time using, for instance, Schoof's algorithm 

EMS]. 

We now explain the reason for sampling the primes as we do in steps (2) - (5). We wish to pick 
primes ^3 uniformly at random from the primes of &l whose norm lies in the interval Z. The 
sampling method we use is acceptance-rejection sampling and this ensures that we pick primes 
according to our requirement. 

Firstly, if E has CM then its j-invariant is an algebraic integer (Theorems 13.11 and 13.2(1 , and step 
(1) checks that this holds. Next, we argue that if E has complex multiplication then with non- 
negligible probability the algorithm will output that E probably has CM. For this we need a theorem 
of Deuring QLan87j Chapter 13 §4): 

Theorem 5.1 (Deuring). Let E/L be an elliptic curve with complex multiplication by an order &e 
of an imaginary quadratic field K . Let ^ be a prime ideal over the rational prime p. Assume that 
E has good reduction at ty. Then E mod *p is super singular iff ' p either ramifies or remains inert 
in K. 

Let E be an elliptic curve over a finite field F <j. Then E is supersingular iff it has no p-torsion 
points. This is equivalent to the trace of the p d -power Frobenius endomorphism being a multiple 
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of p ( S1I86 V. Ex. 5.10). Thus step (9) checks if E has supersingular reduction at the prime *p. 



Suppose E/L is a curve with complex multiplication by an order in the imaginary quadratic field 
K = Q(\AD) (where D is the discriminant of K.) Then by Theorem 15.11 the primes where E 
has supersingular reduction are precisely those primes that are either ramified or inert in K. The 
primes that ramify are those that divide the discriminant D, and the primes p that remain inert 
are those for which (-p) = —1. This immediately suggests that the proportion of such primes can 
be worked out by choosing primes in certain arithmetic progressions mod D. However, since the 
discriminant of the field K depends on the input, we need a result that is uniform in the modulus 
D. Indeed, using quadratic reciprocity and the uniform prime number theorem for arithmetic 
progressions ( |Dav 00j Chapter 20) one can show the following theorem: 



Theorem 5.2. Define 



TTni.r) - ',{ p < ,r : ( ^ ) ~ - I 



and let 5 > be fixed. Then there is a positive effective constant c > depending on 5 such that if 
\D\ < (logx) 1 " 5 then 

ttoOc) = hi(x) + 0(xe- c ^) 

uniformly in D. 

To apply Theorem 15.21 we need to ensure that \D\ < log 1_5 x. In other words, we need to pick 

i 

primes in an interval which is longer than exp(|D| 1 ~ s ) for some 5 > 0. At this point we apply 
Siegel's theorem to get a bound on \D\ in terms of the degree of the field over which E is defined. 
We use Siegel's theorem, even though it is ineffective, because the ineffectiveness affects only the 
error term in the success probability of the algorithm. This does not affect the implementation of 
the algorithm. 

Theorem 5.3 (Siegel). For each e > there is a constant (ineffective) c > such that the class 
number h{—D) satisfies 



h(-D) > cD 



By Theorem 13.21 we have that [L : Q] = h(—D), where —D is the discriminant of the order by which 
E has CM. By Siegel's theorem we get that D < c'[L : Q] 2+e , where c' is a positive constant depend- 
ing on e. Thus picking primes that are at least exp(c'[L : Q] 2+e ) will ensure ( Theorem 15 .2|) that we 
have a positive density of supersingular primes. In summary, we have proved the following theorem: 



Theorem 5.4. Fix any e > and let E/L be an elliptic curve with CM. If p is a prime picked 
uniformly at random in an interval containing [2---exp([L : Q] 2+e )] and E has good reduction at 
5 (p), then the probability that E has supersingular reduction at *p is at least \ + o(l) ; the error 
term being ineffective. 

We have shown that about \ of the rational primes give us primes of supersingular reduction for 
E. But our algorithm selects primes of &l that are most likely degree 1 primes. We need to 
ensure that this somehow does not bias against the primes of supersingular reduction for E. To 
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argue this we consider the following diagram of fields: 



QUe) 




Q 



All extensions in the diagram are galois, except possibly the extension Q(j_b)/Q ( Shi71 j Theorem 
5.7). Now since Q(V — D, j'e)/Q(j'e) is a degree 2 extension, the Chebotarev density theorem tells 
us that 



If *P is a (degree 1) prime of Q(Je) that remains inert in Q(V — D,Je) then its norm (a rational 
prime) remains inert in Q(\/ — D). Such a prime ^ is a supersingular prime if E has good reduction 
at ^3. Thus we have shown that half of the degree 1 primes of L are indeed primes of supersingular 
reduction for E. In particular, if our algorithm is given an elliptic curve with CM, then it outputs 
"E probably has CM" with probability > \ + o(l). 

Now suppose E/L does not have CM. Then we show that the probability that we pick a prime p, 
where E has supersingular good reduction at a prime above p goes to 0. For this we use a result of 
Serre ( |Ser81j §8) that says: 

Theorem 5.5. Let E/L be an elliptic curve that does not have CM and let 

^Efl = tt{^P : a prime of 0l, N^/Q^i < x,E has supersingular reduction at ^p}. 
Then for 5 > 



The implicit constant depends only on 6. 

Remark 5.6. Serre states his theorem only for elliptic curves over Q but the proof works for elliptic 
curves over number fields too. We sketch a proof of a weaker form of Theorem 15.51 in £0 There 
are stronger versions of this result, most notably due to Noam Elkies with some restrictions on the 
number field Elk91 , but the weaker version is sufficient for our purpose. For curves defined over 

Q, a famous conjecture of Lang and Trotter predicts that ite,o ~ C-EIH^ where Ce is a constant 
depending on E ( |LTr76| ). 

Theorem 15.51 immediately gives us the following result: 

Theorem 5.7. Suppose E/L is an elliptic curve that does not have CM. If is a prime picked 
uniformly at random among those whose norm lies in the interval [2 • • • x], then the probability that 
E has supersingular reduction at ^3 tends to with x. 



(2) 



t){*P : -Nq(j b )/q^P < x,deg*p = 1 and *p remains inert in 
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Putting Theorems 15.41 1531 and the remarks following Theorem 15.41 together, we see that if E/L 
has CM then the output of the algorithm is correct with probability \ + o(l), and if E/L does not 
have CM then the output is correct with probability 1 — o(l). This shows that we have a two-sided 
error randomized polynomial time algorithm for checking when an elliptic curve over a number field 
has CM. If one needs to improve the confidence of the algorithm, then one can use the standard 
boosting idea of repeating the algorithm independently many times and taking the majority vote 
(cf. |Pap95| Corollary to Lemma 11.9). 

In the Appendix we tabulate the ratio of supersingular primes to all the primes, considering only 
primes of norm < 10 5 , for certain curves. One sees that for curves with CM, this ratio is already 
close to i, and for curves without CM it is very small. 

5.1. Finding the discriminant of End(E). Suppose E/L is an elliptic curve with CM. Then 
even at the primes where E has non-supersingular good reduction, the trace of Frobenius gives 
important information. The following theorem of Deuring is the main tool we use f |Lan87| Chapter 
13 §4, Theorem 12): 

Theorem 5.8 (Deuring). Let E/L be an elliptic curve with CM by Ge, & n order in an imaginary 
quadratic field K . Assume that p is a rational prime that splits completely in K and that *p D (p) 
is a prime of L above p. Suppose that E has good non-supersingular reduction E atty and that p 
does not divide the index \&k '■ Ge] (Gk is the ring of integers of K). Then End(-E) = End(E'). 

Let E/L be a curve with CM by Ge- Suppose we pick a prime of good reduction *p of L and find 
that a«p mod p for the reduction E (where asp is the trace of Frobenius on E). Then assuming 
p does not divide the index of Ge (which happens with high probability), we get from Theorem 
15.81 that Ge = End(-E') = End(-E). Since E is an elliptic curve over a finite field F p d, (d = degree 
of *p) the p d -power Frobenius endomorphism <f> satisfies 

(3) (f> 2 - a<p0 + p d = 

as an element of End(E'). Since the latter is an order with discriminant D@„ (say) equation (j3J) 
implies that 

(4) a| - Ap d = m\De E 

for some mrp 6 Z. Since E is not supersingular this quantity is never 0. The idea is to pick different 
primes (assume that the reduction of the curve is non-supersingular), and compute the quantities 
Wi = aL. — 4p d and gcd(ii?j). We hope this gives us Dff E . However, we do not know how to argue 
that the gcd(wj) quickly converge to the discriminant. In experiments, two trials were sufficient in 
every case we tested. Another piece of information that equation (JIJ and Hasse's bound yield is 
this. If 4p d < \Dff '|, then the hypotheses of Theorem 15.81 must fail. Thus the curve either has bad 
reduction, or supersingular reduction, or p must divide the index of the order Ge- hi the last case 
it turns out that the endomorphism ring of E is an order of index [Gk : Ge]/p v , where p r is the 
largest power of p dividing the index of Ge- Thus we get some information about the index of Ge- 
If, on the other hand, E does not have CM, then the Wi should behave randomly and we should 
get gcd(wj) = 1 very quickly. Again, we are unable to prove this. 

Remark 5.9. We can use the ideas here to make the error in the randomized algorithm one-sided. 
Taking a bunch of primes ^ and reducing the curve we can find the quantity Wi (for those primes 
of ordinary reduction). If gcd(wj) = 1, then we know for certain that the curve does not have 
CM. However, we cannot prove that if E does not have CM, then this will happen for a reasonable 
number of primes The method in iCNSTQHj also incorporates a similar idea, but in their proof 
(of Theorem 3) they claim, in essence, that the Wi behave like random numbers without proof. Our 
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algorithm in ^Slhas two-sided error, but its behavior is rigorously proved. If one uses the one-sided 
error version, then its running time analysis needs the heuristic assumption that the Wi behave like 
random numbers if E does not have CM. 

6. The Deterministic Algorithm 

This method uses the galois representations that are afforded by the elliptic curve. We briefly 
describe such galois representations in the next subsection. 

6.1. Galois Representations from Elliptic curves. For more on this subject the reader should 
consult Serre ( |Ser89j ) and also Silverman ( Sil86 III §7). Let E/L be an elliptic curve and let I 
be a prime. The set of ^-torsion points on E is 

E[i] = {P E E(C) : £P = oo}, 

where oo is the identity on E. It is known that E[£] ^ (Z/£Z) x (Z/£Z) ( EM HI §6.4). Let 
Gl = Gal(L/L) be the absolute galois group of L. If K D L is a galois extension, then Gl acts on 
E{K) (the points on E(C) with coordinates in K) by sending the point (x : y : z) to (x a : y a : z a ) 
for a <E G L . 

Gl also acts on E[£] since the multiplication by £ maps are defined over L. Thus we get a map 

Pi : G L -» KvX{E\£\) GL 2 (F £ ). 

This is a continuous group homomorphism (with profinite topology on Gl and discrete topology 
on GL2(F^)) and gives us a representation of Gl- Now if a G Gal(L / L(E[£])) then it acts trivially 
on E[£]. Thus the representation factors through the extension L(E[£]) and we get a representation 
of Gal(L(E[£])/L): 

Pe : G&L(L(E[£])/L) GL 2 (F £ ). 

The representation is clearly injective. It turns out that Im p£ depends critically on whether E has 
CM or not. We discuss this next. 

6.2. Image of pi if E does not have CM. Suppose E/L does not have CM. Then a famous 
theorem of Serre f |Ser72j ) says the following: 

Theorem 6.1. Let E/L be an elliptic curve that does not have CM. Then for all large enough 
primes I, the representation pi is surjective, i.e., pt{Gi/) = GL2(F£). This means that 

Gal(L(E[£])/L) ^ GL 2 (¥ e ) 

for all but finitely many primes I. 

We illustrate the power of this theorem by sketching a proof of the following result. 

Corollary 6.2. Let E/L be an elliptic curve without complex multiplication. Then 

: ^ a prime of 0l, Nl/q^ <x,E mod *p is supersingular} = o(Li(x)). 

Proof : Fix a prime I. We need the following fundamental compatibility between the Frobenius 
at a prime ^ of L and the Frobenius on E mod ^3 via the representation p£. Suppose *P is a prime 
where E has good reduction, and assume that ^ does not divide the discriminant of L. Then 

Tr (p£(Frobip)) = a«p mod £, 

where a<p is the trace of Frobenius on the curve. 
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Let £q be such that for all primes £ > £$ the representation pi coming from E is surjective. Now 
for any prime £ > £q we have that Gal(L(E[£]) / L) = GL 2 (F^). Let Sq be the set of primes 

{*P : E has good reduction at and a<p = 0}. 

Note that the set Sq contains all the degree 1 primes where E has supersingular reduction. The 
Chebotarev density theorem says that the density of primes ^3 such that Tr (p^(Frob<p)) = mod £ 
is exactly the ratio 

JjjTrace conjugacy class of GL 2 (F^)} 
n= t)GL 2 (F,) ' 

A quick calculation shows that r<C|. Now 

lim ri = 0, 

proving that the density of the set So is (counted by norm) . The set of primes of L which are of 
degree > 1 are already density 0, when we are counting by norm. So that even among the degree 
1 primes there is only a density subset where E has supersingular reduction. □ 

6.3. Image of pg if E has CM. If E/L has CM we have, from the theory of complex multiplication 
( Sil94 Chapter II Theorem 2.3), the following result. 

Theorem 6.3. Let E/L be an elliptic curve that has complex multiplication by an order &e in 
Q(\^D) (D < 0) and let £ be a prime. Then L(\J~D, E[£\)/ L(V D) is an abelian extension. 

Now consider the following diagram of fields: 



L(VD,E[£}) 




L 

The group Gal(L(V^D, E[£\) / L(\J~D)) is an abelian subgroup of G&\(L(y/D, E[£])/L), furthermore, 
it has index 2. This implies that Gah(L(\fD , E[£\) / L) is solvable. Therefore Gal(L(E[£])/L), being 
a quotient of a solvable group, is also solvable. We have thus proved: 

Theorem 6.4. Suppose E/L is an elliptic curve with complex multiplication, and £ a prime. Then 
Im pi is solvable. 

6.4. The algorithm. The idea is to use Theorems 16.11 and 16.41 to check if E has CM. We pick 
£ > 5 and large enough so that if E did not have CM then pi would have to be surjective. Since 
SL2(F£), a subgroup of GL2(F£), is not solvable for £ > 5, GL 2 (F£) is not solvable for £ > 5. In 
summary, if £ is large enough, then G&l(L(E[£]) / L) is solvable iff E/L has complex multiplication. 
The extension L(E[£})/L is of degree < (JGL 2 (F £ ) = (£ 2 - l){£ 2 - £). Solvability of this extension 
can be checked in polynomial time, provided, £ is bounded polynomially in the input length. This 
can be done by computing the £ division polynomial of E and using the algorithm of Landau and 
Miller Len91 . To complete the description of the algorithm we need to decide how large an £ to 
take. The following theorem of Masser and Wiistholz |MWii93] allows us to do that. 
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Theorem 6.5. There are absolute constants c, 7 (7 is effectively computable) with the following 
properties. Suppose E is an elliptic curve of Weil height h defined over a number field L of degree 
d, and assume that E does not have complex multiplication. 

(1) If I > c(max{d, h})" 1 , then puiGjf) contains the special linear group SL2(F^). 

(2) If, further, £ does not divide the discriminant of L, then pg{Gjf) = GL2(F^). 

If p£ contains SL^F^) for £ > 5 then it is already non-solvable, thus we get the following result: 

Theorem 6.6. There are absolute constants c, 7 (7 effective) with the following property. Suppose 
E/L is an elliptic curve of Weil height h, d = [L : Q], and £ > max{c(max{d, h})' 1 , 5} is a prime. 
Then E has complex multiplication iff G&\(L(E[£]) / L) is solvable. 

Since the Weil-height of the elliptic curve is bounded polynomially by the input length, we get a 
deterministic polynomial time algorithm to test if E/L has complex multiplication. Unfortunately, 
the constant in the running time has not yet been made effective. Serre has conjectured that the 
lower bound on the primes for which pi is surjective for curves without CM over L should only 
depend on L and not on the curve |Ser72| §4.3. For all the curves (without CM) we tested £ = 5 
or 7 already gave non-solvable extensions. It must be noted however, that there are curves over Q 
for which pi is not surjective if £ < 47. 
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Table 1 . Proportion of Supersingular primes for CM curves 



Discriminant D of End(-E) 


Degree of Number field L 


7r(10 b ) 


-4 x 53 


6 


0.5043 


-59 


3 


0.5073 


-4 x 61 


6 


0.5079 


-71 


7 


0.5113 


-4 x 73 


4 


0.5110 


-79 


5 


0.5107 


-83 


3 


0.5088 


-4 x 89 


12 


0.5234 


-4 x 97 


4 


0.5040 



Table 2. Proportion of Supersingular primes for Non-CM curves 



Minimal polynomial of j-invariant 


7r B .o(10 5 ) 
tt(10 5 ) 


x 5 - 12x 4 - 65x 3 - 33x^ - 22x - 51 


0.0032 


x a - 78x 4 + 28x 6 + 14x^ - 92x + 19 


0.0036 


x a + 25x 4 + 7x 6 + 25x^ + 96x + 92 


0.0035 


x & + 71x 4 - 71x 3 + 41x^ + 61x + 93 


0.0034 


x & + 23x 4 + 84x il - 17x^ - 36x + 62 


0.0031 


x & - 94x 4 - 74x a + 78x^ + 51x - 10 


0.0033 


x s + 79x 4 + 97x 3 + 5x^ - 78x - 39 


0.0033 


x & + 68x 4 - 17x a + 99x^ - 34x - 93 


0.0025 



Appendix 

In this appendix we tabulate the ratios of supersingular to ordinary primes for some elliptic curves. 
In each case if E/L is an elliptic curve, we computed the ratio 

7r£,o(10 5 ) P rim e of G L ■ V relatively prime to A E and A r L/Q ( < P) < 10 5 } 

vr'(10 5 ) = prime of G L : N L/Q ^ < 10 5 } " 

All our computation was done using MAGMA version 2.10 [BC03 . 

In Table Q we give the results for elliptic curves with complex multiplication. To prepare this 
table we picked elliptic curves with CM by the maximal orders of Q(i/ — p) with p a prime in the 
range 50 < p < 100. We ignored those p for which the class number of Q( v / — p) is 1, since these 
curves are then defined over Q. The entries in the table are listed in increasing order of the prime p. 

In Table |^1 we give the results for elliptic curves without complex multiplication over a degree 5 
number field. The table was prepared by picking random monic polynomials of degree 5 and using 
a root of the polynomial as the j-invariant of the elliptic curve. We verified that these curves do 
not have CM by using the criterion described in Remark 15.91 We see that the results of these 
experiments are consistent with Theorems 15.41 and 15.51 
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